As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
It may be a good idea for the WordPress developers to sign their releases with a well known and trusted PGP key. This would allow people to verify that downloaded files are really what they should be!
This is a well-established practice used by other projects, for example by the Linux kernel.
Signing releases with a PGP key would be a good idea, but of course 95% of the people installing WordPress probably wouldn’t understand how to verify a PGP signature, or would be too lazy to do it.
Even if they do validate it, unless they get the public key from a trusted source that the cracker can’t alter (e.g. from a keyserver) then it still doesn’t add a massive amount of safety. If the key was hosted on the site hosting the download, a cracker could just create a new key and sign their alterered code with that instead.
Even if only 5% (that estimate probably is too high) would check the signature, a compromised download wouldn’t go undetected for more than three days!
And you’re right, downloading a untrusted key and a signed file at the same time is a bad idea! The key used for signing downloads has to be integrated into trust management, ie. it has be signed by well-known and trusted people.